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Abstract. We propose a novel approach for coping with alternating 
quantification as the main source of nonelementary complexity of de¬ 
ciding WSIS formulae. Our approach is applicable within the state-of- 
the-art automata-based WSIS decision procedure implemented, e.g. in 
MONA. The way in which the standard decision procedure processes 
quantifiers involves determinization, with its worst case exponential com¬ 
plexity, for every quantifier alternation in the prefix of a formula. Our 
algorithm avoids building the deterministic automata—instead, it con¬ 
structs only those of their states needed for (dis)proving validity of the 
formula. It uses a symbolic representation of the states, which have 
a deeply nested structure stemming from the repeated implicit subset 
construction, and prunes the search space by a nested subsumption re¬ 
lation, a generalization of the one used by the so-called antichain algo¬ 
rithms for handling nondeterministic automata. We have obtained en¬ 
couraging experimental results, in some cases outperforming MONA by 
several orders of magnitude. 


1 Introduction 

Weak monadic second-order logic of one successor (WSIS) is a powerful, con¬ 
cise, and decidable logic for describing regular properties of finite words. Despite 
its nonelementary worst case complexity [T], it has been shown useful in nu¬ 
merous applications. Most of the successful applications were due to the tool 
MONA [5], which implements a finite automata-based decision procedure for 
WSIS and WS2S (a generalization of WSIS to finite binary trees). The authors 
of MONA list a multitude of its diverse applications [3] , ranging from software 
and hardware verification through controller synthesis to computational linguis¬ 
tics, and further on. Among more recent applications, verification of pointer 
programs and deciding related logics |4|5|6| 7|8| can be mentioned, as well as 
synthesis from regular specifications [5]. MONA is still the standard tool and 
the most common choice when it comes to deciding WS1S/WS2S. There are 
other related automata-based tools that are more recent, such as jMosel [10] 
for a logic M2L(Str), and other than automata-based approaches, such as [IT] . 
They implement optimizations that allow to outperform MONA on some bench¬ 
marks, however, none provides an evidence of being consistently more efficient. 
Despite many optimizations implemented in MONA and the other tools, the 




worst case complexity of the problem sometimes strikes back. Authors of meth¬ 
ods using the translation of their problem to WS1S/WS2S are then forced to 
either find workarounds to circumvent the complexity blowup, such as in 0 , or, 
often restricting the input of their approach, give up translating to WS1S/WS2S 
altogether [T^ . 

The decision procedure of MONA works with deterministic automata; it uses 
determinization extensively and relies on minimization of deterministic automata 
to suppress the complexity blow-up. However, the worst case exponential com¬ 
plexity of determinization often significantly harms the performance of the tool. 
Recent works on efficient methods for handling nondeterministic automata sug¬ 
gest a way of alleviating this problem, in particular works on efficient testing of 
language inclusion and universality of finite automata |l3|14 | 15j and size reduc¬ 
tion mm based on a simulation relation. Handling nondeterministic automata 
using these methods, while avoiding determinization, has been shown to provide 
great efficiency improvements in [18] (abstract regular model checking) and also 
[19] (shape analysis). In this paper, we make a major step towards building the 
entire decision procedure of WSIS on nondeterministic automata using simi¬ 
lar techniques. We propose a generalization of the antichain algorithms of m 
that addresses the main bottleneck of the automata-based decision procedure 
for WSIS, which is also the source of its nonelementary complexity: elimination 
of alternating quantifiers on the automata level. 

More concretely, the automata-based decision procedure translates the in¬ 
put WSIS formula into a finite word automaton such that its language repre¬ 
sents exactly all models of the formula. The automaton is built in a bottom- 
up manner according to the structure of the formula, starting with predefined 
atomic automata for literals and applying a corresponding automata opera¬ 
tion for every logical connective and quantifier (A,V,^,3). The cause of the 
nonelementary complexity of the procedure can be explained on an example for¬ 
mula of the form ip' = 3AmVAj„-i .. .VX23Ai : ipQ. The universal quantifiers 
are first replaced by negation and existential quantification, which results in 
ip = 3Am^3Am-i •.. ^3A2^3 Ai : tpo. The algorithm then builds a sequence of 
automata for the sub-formulae ipo,ipQ,, ipm-i, ‘pL.-i of ‘P where for 0 < * < m, 
ipf = 3Xi+i : ipi^ and ipi+i = Every automaton in the sequence is created 
from the previous one by applying the automata operations corresponding to 
negation or elimination of the existential quantifier, the latter of which may 
introduce nondeterminism. Negation applied on a nondeterministic automaton 
may then yield an exponential blowup: given an automaton for ip, the automaton 
for -^ip is constructed by the classical automata-theoretic construction consisting 
of determinization by the subset construction followed by swapping of the sets 
of final and non-final states. The subset construction is exponential in the worst 
case. The worst case complexity of the procedure run on ip is then a tower of 
exponentials with one level for every quantifier alternation in ip; note that we 
cannot do much better—this non-elementary complexity is an inherent property 
of the problem. 
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Our new algorithm for processing alternating quantifiers in the prefix of a for¬ 
mula avoids the explicit determinization of automata in the classical procedure 
and significantly reduces the state space explosion associated with it. It is based 
on a generalization of the antichain principle used for deciding universality and 
language inclusion of finite automata mm- It generalizes the antichain algo¬ 
rithms so that instead of being used to process only one level of the chain of 
automata, it processes the whole chain of quantifications with i alternations on- 
the-fly. This leads to working with automata states that are sets of sets of sets 
... of states of the automaton representing (po of the nesting depth i (this corre¬ 
sponds to i levels of subset construction being done on-the-fly). The algorithm 
uses nested symbolic terms to represent sets of such automata states and a gen¬ 
eralized version of antichain subsumption pruning which descends recursively 
down the structure of the terms while pruning on all its levels. 

Our nested antichain algorithm can be in its current form used only to process 
a quantifier prefix of a formula, after which we return the answer to the valid¬ 
ity query, but not an automaton representing all models of the input formula. 
That is, we cannot use the optimized algorithm for processing inner negations 
and alternating quantifiers which are not a part of the quantifier prefix. How¬ 
ever, despite this and the fact that our implementation is far less mature than 
that of MONA, our experimental results still show significant improvements over 
its performance, especially in terms of generated state space. We consider this 
a strong indication that using techniques for nondeterministic automata to de¬ 
cide WSIS (and WSfcS) is highly promising. There are many more opportunities 
of improving the decision procedure based on nondeterministic automata, by 
using techniques such as simulation relations or bisimulation up-to congruence 
[2()j . and applying them to process not only the quantifier prefix, but all logical 
connectives of a formula. We consider this paper to be the first step towards 
a decision procedure for WS1S/WSA:S with an entirely different scalability than 
the current state-of-the-art. 

Plan of the paper. We define the logic WSIS in Sectionj^ In Sections]^ andwe 
introduce finite word automata and describe the classical decision procedure for 
WSIS based on finite word automata. In Sectionj^ we introduce our method for 
dealing with alternating quantifiers. Finally, we give an experimental evaluation 
and conclude the paper in Sections and 


2 WSIS 

In this section we introduce the weak monadic second-order logic of one successor 
(WSIS). We introduce only its minimal syntax here, for the full standard syntax 
and a more thorough introduction, see Section 3.3 in [2T] . 

WSIS is a monadic second-order logic over the universe of discourse Nq. This 
means that the logic allows second-order variables, usually denoted using upper¬ 
case letters X,Y,..., that range over finite subsets of Nq, e.g. X = {0,3,42}. 
Atomic formulae are of the form (i) X C Y, (ii) Sing(A), (iii) X = {0}, and 
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(iv) X = Y 1, where X and Y are variables. The atomic formulae are inter¬ 
preted in turn as (i) standard set inclusion, (ii) the singleton predicate, (iii) X 
is a singleton containing 0, and (iv) X = {x} and Y = {t/} are singletons and x 
is the successor of y, i.e. x = y + 1. Formulae are built from the atomic formulae 
using the logical connectives A,V,-', and the quantifier 3X (for a second-order 
variable X). 

Given a WSIS formula <f{Xx ,..., X„) with free variables Xi,..., the 
assignment p = {Xi Si,, Xn >—>■ S'„}, where Si,... ,Sn are finite subsets of 
No, satisfies p, written as p |= p, if the formula holds when every variable Xi is 
replaced with its corresponding value Si = p{Xi). We say that p is valid, denoted 
as \= p, if it is satisfied by all assignments of its free variables to finite subsets of 
No- Observe the limitation to finite subsets of No (related to the adjective weak 
in the name of the logic); a WSIS formula can indeed only have finite models 
(although there may be infinitely many of them). 

3 Preliminaries and Finite Automata 

For a set D and a set S C 2^ we use j,S to denote the downward elosure of S, i.e. 
the set = {R C D \ 3S G E> : R C S}, and fS to denote the upward elosure of 
S, i.e. the set fS = {R C D \ 3S G S : R ^ S'}. The set S is in both cases called 
the set of generators of fS or respectively. A set S is downward closed if it 
equals its downward closure, S = }S, and upward closed if it equals to its upward 
closure, S = The choice operator ]J (sometimes also called the unordered 
Cartesian product) is an operator that, given a set of sets D = {Di,..., Dn}, 
returns the set of all sets {di,.. .,dn} obtained by taking one element di from 
every set Di. Formally, 


]JD = {{di,..., dn} I (di,..., d„) G A} (1) 

where denotes the Cartesian product. Note that for a set D, ]J{d?} is the set 
of all singleton subsets of D, i.e. lJ{d?} = {{d} | d G D}. Further note that if 
any Di is the empty set 0 , the result is ]JD = 0 . 

Let X be a set of variables. A symbol r over X is a mapping of all variables 
in X to either 0 or 1, e.g. r = {Xi >-)• 0, A 2 1} for X = {Ai, A 2 }. An alphabet 
over X is the set of all symbols over X, denoted as Ax. For any X (even empty), 
we use 0 to denote the symbol which maps all variables from X to 0, 0 G Ax. 

A (nondeterministic) finite (word) automaton (abbreviated as FA in the fol¬ 
lowing) over a set of variables X is a quadruple A = {Q, A, I, F) where Q is 
a finite set of states, / C Q is a set of initial states, A C Q is a set of final states, 
and Z\ is a set of transitions of the form {p, r, q) where p,q G Q and r G Ax. We 
use p -4 g G Z\ to denote that {p, r, q) G A. Note that for an FA A over X = 0 , 
A is a unary FA with the alphabet Ax = {0}. 

A run r of A over a word w = tit^ ... r„ G AJ from the state p G Q to 
the state s G Q is a sequence of states r = godi • • • dn G Q'^ such that do = P, 
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Qn = s and for all 1 < i < n there is a transition ^ in Z\. If s S 
we say that r is an accepting run. We write p s to denote that there exists 
a run from the state p to the state s over the word w. The language accepted 
by a state q is defined by Cj^[q) = {w | g 9/) 9/ € P}t while the language of 
a set of states S' C Q is defined as £a{S) = UgeS When it is clear which 

FA A we refer to, we only write C{q) or C{S). The language of A is defined 
as C{A) = £a{I)- We say that the state q accepts w and that the automaton 
A accepts w to express that w G C,A[q) and w G >C(A) respectively. We call 
a language L C AJ universal iff L = 

For a set of states S C Q, we define 

post[A,T]{S) = {t I s ^ t G Z\}, 
sGS 

pre[A,T]{S) = {t I t -4- s G Zi}, and 
ses 

cprelA,T]{S) = {t I postlA,r]{{t}) C S}. 


The complement of A is the automaton Ac = (2^, Ac, {I},i{Q \ F}) where 
Ac = -4 post[A,T]{P) P C Qj; this corresponds to the standard procedure 


that first determinizes A by the subset construction and then swaps its sets of 
final and non-final states, and HQ \ F} is the set of all subsets of Q that do not 
contain a final state of A. The language of Ac is the complement of the language 
of A, i.e. C{Ac) = C{A). 

For a set of variables X and a variable X, the projection of X from X, 
denoted as 7r[x](X), is the set X\ {X}. For a symbol r, the projection of X from 
T, denoted 7r[x](7‘), is obtained from r by restricting r to the domain 7r[x](X)- 
For a transition relation A, the projection of X from A, denoted as 7r[x](A), is 


the transition relation 


ifo: 


> q \ p H q G A 


Y 


4 Deciding WSIS with Finite Automata 

The classical decision procedure for WSIS [22] (as described in Section 3.3 of m) 
is based on a logic-automata connection and decides validity (satisfiability) of 
a WSIS formula ip{Xi,... ,X„) by constructing the FA A,p over {Xi,... ,X„} 
which recognizes encodings of exactly the models of Lp. The automaton is built 
in a bottom-up manner, according to the structure of (/?, starting with predefined 
atomic automata for literals and applying a corresponding automata operation 
for every logical connective and quantifier (A,V,-i,3). Hence, for every sub¬ 
formula Ip of (fi, the procedure will compute the automaton such that C{A,p) 
represents exactly all models of pj, terminating with the result 

The alphabet of A,p consists of all symbols over the set X = {Ai,..., Xn} of 
free variables of cp (for a,b G {0,1} and X = {Xi, A 2 }, we use -b denote 
the symbol {Xi i-G a, X 2 6}). A word w from the language of A^ is a sequence 
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of these symbols, e.g. , xl -wi^ xl ■ loioo' denote the i-th symbol 
of w as w[i], for * e Nq. An assignment p : X —?> mapping free variables 
X of to subsets of No is encoded into a word Wp of symbols over X in the 
following way: Wp contains 1 in the j-th position of the row for Xi iff j G Xi in 
p. Formally, for every i S Nq and Xj € X, if i G p{,Xj), then Wp[i\ maps Xj i—)■ 1. 
On the other hand, if i ^ p{Xj)i then either Wp\i] maps Xj i—>■ 0, or the length 
of w is smaller than or equal to i. Notice that there exist an infinite number 
of encodings of p. The shortest one is w® of the length n + 1, where n is the 
largest number appearing in any of the sets that is assigned to a variable of X 
in p, or — 1 when all these sets are empty. The rest of the encodings are all those 
corresponding to w® extended with an arbitrary number of 0 symbols appended 

to its end. For example, i °°, • loo’ • ioo;::o encodings 

of the assignment p = {Xi i-G 0, A 2 i-G {0}}. For the soundness of the decision 
procedure, it is important that A^p always accepts either all encodings of p or 
none of them. 

The automata and are constructed from Aip and Ap by standard 
automata-theoretic union and intersection operations, preceded by the so-called 
cylindrification which unifies the alphabets of Ay, and Ap. Since these operations, 
as well as the automata for the atomic formulae, are not the subject of the 
contribution proposed in this paper, we refer the interested reader to | 21 j for 
details. 

The part of the procedure which is central for this paper is processing nega¬ 
tion and existential quantification; we will therefore describe it in detail. The 
FA A^y, is constructed as the complement of Ay,. Then, all encodings of the 
assignments that were accepted by Ay, are rejected by A^y, and vice versa. The 
FA A^x:y is obtained from the FA Ay = (Q, A, /, F) by first projecting X 
from the transition relation A, yielding the FA = (Q,7rix](A), I, F). How¬ 
ever, A!y cannot be directly used as A-^x-.y The reason is that A!y may now 
be inconsistent in accepting some encodings of an assignment p while rejecting 
other encodings of p. For example, suppose that Ay accepts the words , 

X 2 ■ 0010 ’ X 2 ■ 0010 0 computing the FA for 3^2 : (p. When we 

remove the X 2 row from all symbols, we obtain the FA A'y that accepts the 
words Xi : 010 , Xi : 0100 , Xi : 0100 ... 0 , but does not accept the word x, ■. 01 that 
encodes the same assignment (because ! 77 ^ ^{Ay) for any values in the 

places of “?”s). As a remedy for this situation, we need to modify A'y to also 
accept the rest of the encodings of p. This is done by enlarging the set of final 
states of A'y to also contain all states that can reach a final state of A'y by 
a sequence of 0 symbols. Formally, A^x-.y = {Q,x\^x]{A)A,F'^) is obtained from 
A'y = (Q, TTfjf] {A), I, F) by computing F^ from F using the fixpoint computation 
F^ = p,Z. FU pre[^T^x]A),^{Z). Intuitively, the least fixpoint denotes the set of 
states backward-reachable from F following transitions of 7 r[x](A) labelled by 0. 

The procedure returns an automaton Ay that accepts exactly all encodings of 
the models of (p. This means that the language of Ay is (i) universal iff p is valid. 
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(ii) non-universal iff ip is invalid, (iii) empty iff ip is unsatisfiable, and (iv) non¬ 
empty iff if is satisfiable. Notice that in the particular case of ground formulae 
(i.e. formulae without free variables), the language of A^p is either C{Aip) = {0}* 
in the case p is valid, or C{Aip) = 0 in the case ip is invalid. 

5 Nested Antichain-based Approach for Alternating 
Quantifiers 

We now present our approach for dealing with alternating quantifiers in WSIS 
formulae. We consider a ground formula p of the form 

p = ( 2 ) 

Vl 


iPm 

where each Xi is a set of variables {Xa -,..., Xh}, BXi is an abbreviation for a non¬ 
empty sequence 3Xa ... 3Xi, of consecutive existential quantifications, and pq is 
an arbitrary formula called the matrix of p. Note that the problem of checking 
validity or satisfiability of a formula with free variables can be easily reduced to 
this form. 

The classical procedure presented in Section computes a sequence of au¬ 
tomata Aptg , ,..., , Ap^ where for all 0 < i < m — 1, </? ■ = 3Xi+i : pi 

and Pi+i = ~^pI- The pi’s are the subformulae of p shown in Equation]^ Since 
eliminating existential quantification on the automata level introduces nonde¬ 
terminism (due to the projection on the transition relation), every A^it may be 
nondeterministic. The computation of Aip-,^-^ then involves subset construction 
and becomes exponential. The worst case complexity of eliminating the prefix is 
therefore the tower of exponentials of the height m. Even though the construc¬ 
tion may be optimized, e.g. by minimizing every Aip- (which is implemented by 
MONA), the size of the generated automata can quickly become intractable. 

The main idea of our algorithm is inspired by the antichain algorithms m 
for testing language universality of an automaton A. In a nutshell, testing uni¬ 
versality of A is testing whether in the complement A of A (which is created by 
determinization via subset construction, followed by swapping final and non-final 
states), an initial state can reach a final state. The crucial idea of the antichain 
algorithms is based on the following: (i) The search can be done on-the-fly while 
constructing A. (ii) The sets of states that arise during the search are closed 
(upward or downward, depending on the variant of the algorithm), (iii) The 
computation can be done symbolically on the generators of these closed sets. It 
is enough to keep only the extreme generators of the closed sets (maximal for 
downward closed, minimal for upward closed). The generators that are not ex¬ 
treme (we say that they are subsumed) can be pruned away, which vastly reduces 
the search space. 
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We notice that individual steps of the algorithm for constructing are very 
similar to testing universality. Automaton arises by subset construction from 
, and to compute , it is necessary to compute the set of final states f\. 
Those are states backward reachable from the final states of A^p^ via a subset 
of transitions of Ai (those labelled by symbols projected to 0 by -Ki+i). To 
compute F®, the antichain algorithms could be actually taken off-the-shelf and 
run with A it in the role of the input A and A # in the role of A. However, 
this approach has the following two problems. First, antichain algorithms do 
not produce the automaton A (here A^t), but only a symbolic representation 

of a set of (backward) reachable states (here of Pf). Since A^t is the input of 
the construction of , the construction of Ap could not continue. The other 
problem is that the size of the input A^i of the antichain algorithm is only 
limited by the tower of exponentials of the height i — 1, and this might be already 
far out of reach. 

The main contribution of our paper is an algorithm that alleviates the two 
problems mentioned above. It is based on a novel way of performing not only one, 
but all the 2m steps of the construction of Ap on-the-fly. It uses a nested symbolic 
representation of sets of states and a form of nested subsumption pruning on all 
levels of their structure. This is achieved by a substantial refinement of the basic 
ideas of antichain algorithms. 


5.1 Structure of the Algorithm 


Let us now start explaining our on-the-fly algorithm for handling quantifier al¬ 
ternation. Following the construction of automata described in Section the 
structure of the automata from the previous section, Aip„ ,Aj,...,Aj , Ap ^, 

can be described using the following recursive definition. We use Tri{C') for any 
mathematical structure C to denote projection of all variables in Ai U • • • U 
from C. 

Let Apg = {Qo, ^ 0 , lo, Fo) be an FA over X. Then, for each 0 < i < m, A^t 
and Ap^p-!^ are FAs over 7ri_|_i(X) that have from the construction the following 
structure: 


A^i = (Q^,Alli,Ff) where 
aI =TTipi{Ai) and 
Ff =pZ .Fiyjpre[A\AA)- 


, A_|_i, ) where 

Aipi 

Qi+i =2«s I,+I={ii}, and Fi+i=i{QAF}. 


We recall that A^t directly corresponds to existential quantification of the vari¬ 
able Xi (cf. Section 1^, and Ap-^^ directly corresponds to the complement of 
A^l (cf. Section 1^. 

A crucial observation behind our approach is that, because <p is ground, Ap is 
an FA over an empty set of variables, and, therefore, C{Ap) is either the empty 
set 0 or the set {0}* (as described in Section]^. Therefore, we need to distinguish 
between these two cases only. To determine which of them holds, we do not need 



to explicitly construct the automaton A^p. Instead, it suffices to check whether 
Ap, accepts the empty string e. This is equivalent to checking existence of a state 
that is at the same time final and initial, that is 

1= iff n Fm 7^ 0. (3) 

To compute from /q is straightforward (it equals {{... {{/q}} • • •}} nested 
m-times). In the rest of the section, we will describe how to compute Fm (its 
symbolic representation), and how to test whether it intersects with Im- 

The algorithm takes advantage of the fact that to represent final states, one 
can use their complement, the set of non-final states. For 0 < i < m, we write 
Ni and Nf to denote the sets of non-final states Qi \ Fi of Ai and Qi \ F^ of 
A\ respectively. The algorithm will then instead of computing the sequence of 
automata Aipni A.,# i • ■ • > A,„# , compute the sequence Fg, F^, Ni, Nf,... 

Y-v Yrn — 1 ^ ^ 

up to either F^ (if m is even) or (if m is odd), which suffices for testing 
the validity of tp. The algorithm starts with Fg and uses the following recursive 
equations: 


(i) F,+i = i{7Vf}, (ii) Fl=fiZ.F,U prelAmiZ), 

(hi) iVj+i = (iv) Nf = vZ. NiD cpre[Al,^{Z). 


(4) 


Intuitively, Equations (i) and (ii) are directly from the definition of Ai and A}^. 
Equation (hi) is a dual of Equation (i): contains all subsets of Qi that 

contain at least one state from Ff (cf. the definition of the ]J operator). Einally, 
Equation (iv) is a dual of Equation (ii): in the fc-th iteration of the greatest 
hxpoint computation, the current set of states Z will contain all states that 
cannot reach an F, state over 0 within k steps. In the next iteration, only those 
states of Z are kept such that all their 0-successors are in Z. Hence, the new 
value of Z is the set of states that cannot reach Fi over 0 in /c -|- 1 steps, and the 
computation stabilises with the set of states that cannot reach Fi over 0 in any 
number of steps. 


In the next two sections, we will show that both of the above hxpoint compu¬ 
tations can be carried out symbolically on representatives of upward/downward 
closed sets. Particularly, in Sections |5.2| and [5.3[ we show how the hxpoints from 
Equations (ii) and (iv) can be computed symbolically, using subsets of Qi-i 
as representatives (generators) of upward/downward closed subsets of Qi. Sec¬ 
tion |5.4| explains how the above symbolic hxpoint computations can be carried 
out using nested terms of depth i as a symbolic representation of computed 
states of Qi- Section 5.5 shows how to test emptiness of Im^Fm on the symbolic 
terms, and Section 5.6 describes the subsumption relation used to minimize the 
symbolic term representation used within computations of Equations (ii) and 
(iv). Proofs of the lemmas and used equations can be found in Appendix [A} 
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5.2 Computing AT? on Representatives of ^]J7?.-sets 

Computing Nf at each odd level of the hierarchy of automata is done by com¬ 
puting the greatest fixpoint of the function from Equation |^iv) : 

/at# (^) = C cpre[A\fi]{Z). (5) 

We will show that the whole fixpoint computation from Equation [^iv) can be 
carried out symbolically on the representatives of Z. We will explain that: (a) All 
intermediate values of Z have the form tlJ^j TZ C so the sets TZ can be 
used as their symbolic representatives, (b) cpre and H can be computed on such 
symbolic representation efficiently. 

Let us start with the computation of cprelAl,T]{Z) where t S 7ri_|_i(X), assum¬ 
ing that Z is of the form tlJT?., represented by 7^ = {i?i,..., i?„}. Observe that 
a set of symbolic representatives TZ stands for the intersection of denotations of 
individual representatives, that is 

tU7e= n (6) 


Z can thus be written as the cpre-image cpre[Al,T](f]S) of the intersection of 
the elements of a set S having the form S TZ. Further, because 

cpre distributes over n, we can compute the cpre-image of an intersection by 
computing intersection of the cpre-images, i.e. 

cpre[A\,T]{i^S) = Pi cpre[A\,T]{S). (7) 

SeS 

By the definition of Zif (where = Tri+i{Ai)), cpre[Al, t]{S) can be computed 
using the transition relation A^ for the price of further refining the intersection. 
In particular, 

cpre[z\f,T](5') = P cprelAi,Lj]{S). (8) 

Intuitively, cpre[Al,T]{S) contains states from which every transition labelled by 
any symbol that is projected to r by has its target in S. Using Equations 
and[^ we can write cpre[Al,T]{Z) as 

P cpre[Ai,u>]{S). (9) 

ses 

To compute the individual conjuncts cpre[Ai,ui](S), we take advantage of the 
fact that every S is in the special form and that Ai is, by its definition 

(obtained from determinization via subset construction), monotone w.r.t. A. 
That is, \i P ^ P' & Ai for some P, P' G Qi, then for every R A P^ there 
is R' A P' s.t. R ^ R' G Ai. Due to monotonicity, the cpre[zii,a;]-image of an 


10 


upward closed set is also upward closed. Moreover, we observe that it can be 
computed symbolically using pre on elements of its generators. Particularly, for 
a set of singletons S = we get the following equation: 

cprelAiMitUiR]}) = tU (10) 


Intuitively, the sets with post-images above a singleton {p} G { {p} \ p £ Rj} = 
are those that contain at least one state q € Qi-i s.t. q p G ^f_i. 
Using Equation 10 cpre[Al,T]{Z) can be rewritten as 


n tUiprel^LiMiRj)}- (11) 


By applying Equation]^ we get the final formula for cpre[zi),T] shown in the 
lemma below. 

Lemma 1. cpre[A\,T\{^Y[TZ) = {pre[zif_i.w](i?j ) I w G 7ri+\(r),i?j G 7^}. 

In order to compute (^), it remains to intersect cpre[zi),o](Z), computed using 

Lemmaj^ with Ni. By Equationj^iii), Ni equals tlJ{-PiLi}, and, by Equationj^ 
the intersection can be done syrnbolically as 

fNtiZ) = tU {{Fi,} U {pre[Al_,M{Rj) I ^ G G 7^}). (12) 

Finally, note that a symbolic application of to Z = tlJT?. represented as 
the set TZ reduces to computing pre-images of the elements of 72., which are 
then put next to each other, together with Ff_^. The computation starts from 
Ni = represented by {fI_^}, and each of its steps, implemented by 

Equation [l^ preserves the form of sets til’ll represented by TZ. 


5.3 Computing Pf on Representatives of 4.72.-sets 

Similarly as in the previous section, computation of Pf at each even level of the 
automata hierarchy is done by computing the least fixpoint of the function 

fptiZ)=F,Upre[Alp]{Z). (13) 

We will show that the whole fixpoint computation from Equation |^ii) can be 
again carried out symbolically. We will explain the following: (a) All intermediate 
values of Z are of the form ITZ, TZ C Qi, so the sets TZ can be used as their 
symbolic representatives, (b) pre and U can be computed efficiently on such 
a symbolic representation. The computation is a simpler analogy of the one in 
Section 15.21 

We start with the computation of pre[Al,T]{Z) where t G 7ri+i(X), assuming 
that Z is of the form 4,72, represented by 72 = {i?i, ..., Rn}- A simple analogy 
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to Equations and of Section |5.2| is that the union of downward closed sets 
is a downward closed set generated by the union of their generators, i.e. 4,7^ = 
and that pre distributes over union, i.e. 

pre[Al,T] (U7^)= U pre[Alr]a{R,}). (14) 

Rj 

An analogy of Equation holds too: 

pre[Al,T]{S) = pre[Ai,uj]{S). (15) 

Intuitively, pre[Al,T]{S) contains states from which at least one transition labelled 
by any symbol that is projected to r by leaves with the target in S. Using 
Equation [T^ we can write pre[Al,T]{Z) as 

IJ prelA,M{i{Rj})- (16) 

Rj&Tl 


To compute the individual disjuncts pre[Ai,uj]{l{Rj}), we take advantage of 
the fact that every is downward closed, and that Ai is, by its definition 

(determinization by subset construction), monotone w.r.t. C. That is, if P 
P' G Ai for some P, P' S Qi, then for every R Q P, there is R' C P' s.t. P 
R' G Ai. Due to monotonicity, the pre[/ii,(.c;]-image of a downward closed set is 
downward closed. Moreover, we observe that it can be computed symbolically 
using cpre on elements of its generators. In particular, for a set 4,{Pj}, we get 
the following equation, which is a dual of Equation 

pre[Ai,uj]{l{Rj}) = \.{cpre[A\_.^^,uj\{Rj)}. (17) 


Intuitively, the sets with the post-images below Rj are those which do not have an 
outgoing transition leading outside Rj. The largest such set is cpre[Al_^,uj]{Rj). 
Using Equation 17 pre[A\,T]{Z) can be rewritten as 


y \.{cpre[A\_^M{Rj)} (18) 

Rj&Tl 


which gives us the final formula for pre[zi(,T] described in Lemma 

Lemma 2. pre[A\,T\{\,'R) = \,{cpre[A\_.^^,u}\{Rj) \ uj G Tr~^^(T),Rj G 77}. 

To compute fpt{Z), it remains to unite pre[/i).o](Z), computed using Lemmaj^ 

with Fi. From Equation |^i), Fi equals }.{A^jLi}, so the union can be done sym¬ 
bolically as 

fp, (Z) = i ({7V^ J U {cprelAUMiRj) I ^ G 7r-+\(0), R, G 77}) . (19) 
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Therefore, a symbolic application of fpt to Z = \.Tl represented using the set 
TZ reduces to computing cpre-images of elements of TZ, which are put next to 
each other, together with nI_^. The computation starts from Fi = 4,{-/V]Li}, 

preserves the form of sets \,TZ, represented by TZ. 


represented by and each of its steps, implemented by Equation 
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5.4 Computation of Ff and Nf on Symbolic Terms 

Sections |5.2| and |5.3| show how sets of states arising within the fixpoint com¬ 
putations from Equations l^ii) andj^iv) can be represented symbolically using 
representatives which are sets of states of the lower level. The sets of states of the 
lower level will be again represented symbolically. When computing the fixpoint 
of level i, we will work with nested symbolic representation of states of depth i. 
Particularly, sets of states of Qk, 0 < k < i, are represented by terms of level k 
where a term of level 0 is a subset of Qq, a term of level 2j -|- 1, j > 0, is of the 
form • • •) tn} where fi,..., are terms of level 2 j, and a term of level 

2 j, j > 0, is of the form ijti,..., where ti,..., are terms of level 2 j — 1. 

The computation of cpre and /„# on a term of level 2j 1 and computation 

^^23 + 1 

of pre and /„# on a term of level 2 j then becomes a recursive procedure that 

-^2j 

descends via the structure of the terms and produces again a term of level 2 j +1 
or 2j respectively. In the case of cpre and /„« called on a term of level 27-1-1, 
Lemma [b reduces the computation to a computation of pre on its sub-terms of 
level 2j, which is again reduced by Lemma to a computation of cpre on terms 
of level 2 j — 1, and so on until the bottom level where the algorithm computes 
pre on the terms of level 0 (subsets of Qo)- The case of pre and /p# called on 

^2j 

a term of level 2 j is symmetrical. 


Example. We will demonstrate the run of our algorithm on the following ab¬ 
stract example. Consider a ground WSIS formula ip = : ipo 

and an EA Aq = {Qo, Aq, Iq = {a}, Fq = {a, b}) that represents ipo- Recall that 
our method decides validity of ip by computing symbolically the sequence of 
sets Eq, A^i, , F 2 , iVa, each of them represented using a symbolic term, and 
then checks it I 3 D N 3 ^0. In the following paragraph, we will show how such 
a sequence is computed and interleave the description with examples of possible 
intermediate results. 

The hxpoint computation from Equation |^ii) of the first set in the sequence. 
Eg, is an explicit computation of the set of states backward-reachable from Eq 
via 0 transitions of Z\g. It is done using Equation [l3| yielding, e.g. the term 

tFo] = Fq = {a,b,c}. 


The fixpoint computation of from Equation |^iv) is done symbolically. It 
starts from the set A^i represented using Equation |^iii) as the term t[7Vi] = 
tlJ{{a, 6, c}}, and each of its iterations is carried out using Equation 12 Equa¬ 


tion transforms the problem of computing cpre[Ai,ui']-\mdi,ge of a term into 
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a computation of a series of pre[zi^.cj]-images of its sub-terms, which is carried 
out using Equation fS in the same way as when computing ifFp*], ending with, 
e.g. the term 


t[Nf] = tlJ{{a,6,c},{6,c},{c,d}}. 

The term representing F 2 is then tfFs] = i{t[Aff]}, due to Equation gi). The 
symbolic fixpoint computation of from Equation gii) then starts from t[F 2 ], 
in our example 

t[F 2 ] = i|tlJ{{a,6,c},{6,c},{c,4}|. 

Its steps are computed using Equation which transforms the computation 
of the image of prefzi^.w"] into computations of a series of cpre[zi?,c^']-images of 
sub-terms. These are in turn transformed by Lemma [f] into computations of 
pre[ziJ,i.j]-images of sub-sub-terms, subsets of Qq, in our example yielding, e.g. 
the term 

tiF^] = 6, c}, {6, c}, {c, 4}41J{{4> {4}41J{{a}: {f 4}}- 

Using Equation giv), the final term representing N 3 is then 

^[^^3] = tlj|-l-{tlj{{a,6,c},{&, c},{c,4},tlJ{{4:{4}41J{{4>{u4}}|- 

In the next section, we will describe how we check whether J 3 n F 3 ^ 0 using the 
computed term tfAfa]. 
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5.5 Testing Im H Fm ^ 0 on Symbolic Terms 


Due to the special form of the set Im (every U,! < i < m, is the singleton 
set {li-i}, cf. Section 5.1), the test Im H Fm ^ 0 can be done efficiently over 
the symbolic terms representing Fm- Because Im = {Im-i\ is a singleton set, 
testing Iml^Fm ^ 0 is equivalent to testing Im-i G Fm - If m is odd, our approach 
computes the symbolic representation of Nm instead of Fm - Obviously, since Nm 
is the complement of Fm, it holds that Im-i G Fm Im-i ^ Nm- Our way 

of testing Im-i € Ym on a symbolic representation of the set Ym of level m is 
based on the following equations: 


{x} e iY 

3y e Y : a; e T 

(20) 

{a;}etlJY 

vy e Y : a; e y 

(21) 

and for i = 0, Jq S tU^ ^ 

vy e Y : /o n y 7 ^ 0. 

(22) 

Given a symbolic term t[x\ of level 

m representing a set X C Qm, 

testing 


emptiness of Im H Fm or Im O Nm can be done over t[x] by a recursive procedure 
that descends along the structure of t[x] using Equations and essentially 
generating an AND-OR tree, terminating the descent by the use of Equation!^ 
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Example. In the example of Section 5.4 we would test whether {{{{a}}}}nIV 3 = 
0 over t[N 3 ]. This is equivalent to testing whether I 2 = {{{a}}} G N 3 . From 
Equation \T\\ we get that 

hGNs ^ h = {{a}} G 4 (23) 

because is the denotation of the only sub-term t[F^] of tlNs], Equation 
implies that 

Ii = {{a}} G {a} G -^1 V{a} G tlJ{{^}, {d}} V{a} G tlJ{{o}, {c, d}}. 

(24) 

Each of the disjuncts could then be further reduced by Equation into a con¬ 
junction of m embership queries on the base level which would be solved by 
Equation 22 Since none of the disjuncts is satisfied, we conclude that Ii ^ 


so I 2 ^ N 3 , implying that I 2 G F 3 and thus obtain the result ^ ip. 


5.6 Subsumption of Symbolic Terms 

Although the use of symbolic terms instead of an explicit enumeration of sets of 
states itself considerably reduces the searched space, an even greater degree of 
reduction can be obtained using subsumption inside the symbolic representatives 
to reduce their size, similarly as in the antichain algorithms M- Eor any set of 
sets X containing a pair of distinct elements Y, Z G X s.t. Y C Z, it holds that 

iX = ;(X\Y) and flJX = tlJ(X \ Z). (25) 

Therefore, if X is used to represent the set j,X, the element Y is subsumed by Z 
and can be removed from X without changing its denotation. Likewise, if X is 
used to represent tU^j the element Z is subsumed by Y and can be removed 
from X without changing its denotation. We can thus simplify any symbolic 
term by pruning out its sub-terms that represent elements subsumed by elements 
represented by other sub-terms, without changing the denotation of the term. 

Computing subsumption on terms can be done using the following two equa¬ 
tions: 


ix c ;y ^ va: G X 3 y g y : a: c y ( 26 ) 

tlJXCtJJY VY G Y3A: G X : a: C Y. (27) 

Using Equations and testing subsumption of terms of level i reduces to 
testing subsumption of terms of level i—1. The procedure for testing subsumption 
of two terms descends along the structure of the term, using Equations and 
on levels greater than 0, and on level 0, where terms are subsets of Qo, it tests 
subsumption by set inclusion. 

Example. In the exam ple from Section |5.4[ we can use the inclusion {b,c} C 
{a,b,c} and Equation to reduce = tlJ{{a,^c},{ 6 ,c},{c,d}} to the 
term 

t[Ni]' = c},{c,d}}. 
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Table 1. Results for practical examples 


Benchmark 

Time [s] 

Space [states] 

MONA 

dWiNA 

MONA 

dWiNA 

reverse-before-loop 

0.01 

0.01 

179 

47 

insert-in-loop 

0.01 

0.01 

463 

no 

bubblesort-else 

0.01 

0.01 

1285 

271 

reverse-in-loop 

0.02 

0.02 

1311 

274 

bubblesort-if-else 

0.02 

0.23 

4 260 

1040 

bubblesort-if-if 

0.12 

1.14 

8 390 

2 065 


Moreover, Equation 27 implies that c}, {c, d}} is subsumed by the term 


tlJ{{6}, {d}}, and, therefore, we can reduce the term t[Fl] to the term 


tie’ll'= ;{tu{w,M},tu{{a},{c,d}}}. 


6 Experimental Evaluation 

We implemented a prototype of the presented approach in the tool dWiNA [23] and 
evaluated it in a benchmark of both practical and generated examples. The tool 
uses the frontend of MONA to parse input formulae and also for the construction 
of the base automaton , and further uses the MTBDD-based representation 
of FAs from the libvata |24| library. The tool supports the following two modes 
of operation. 

In mode I, we use MONA to generate the deterministic automaton cor¬ 
responding to the matrix of the formula </?, translate it to libvata and run our 
algorithm for handling the prefix of (p using libvata. In mode II, we first trans¬ 
late the formula p into the formula p' in prenex normal form (i.e. it consists 
of a quantifier prefix and a quantifier-free matrix) where the occurence of nega¬ 
tion in the matrix is limited to literals, and then construct the nondeterministic 
automaton Aip^^ directly using libvata. 

Our experiments were performed on an Intel Core i7-4770@3.4 GHz processor 
with 32 GiB RAM. The practical formulae for our experiments that we report 
on here were obtained from the shape analysis of [5| and evaluated using mode I 
of our tool; the results are shown in Table (see [23] for additional experimen¬ 
tal results). We measure the time of runs of the tools for processing only the 
prefix of the formulae. We can observe that w.r.t. the speed, we get comparable 
results; in some cases dWiNA is slower than MONA, which we attribute to the 
fact that our prototype implementation is, when compared with MONA, quite 
immature. Regarding space, we compare the sum of the number of states of all 
automata generated by MONA when processing the prefix of p with the number 
of symbolic terms generated by dWiNA for processing the same. We can observe 
a significant reduction in the generated state space. We also tried to run dWiNA 
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Table 2. Results for generated formulae 


k 

Time [s] 

Space 

states] 

MONA 

dWiNA 

MONA 

dWiNA 

2 

0.20 

0.01 

25 517 

44 

3 

0.57 

0.01 

60 924 

50 

4 

1.79 

0.02 

145 765 

58 

5 

4.98 

0.02 

349314 

70 

6 

OO 

0.47 

OO 

90 


on the modified formulae in mode II but ran into the problem that we were not 
able to construct the nondeterministic automaton for the quantifier-free matrix 
ipQ in reasonable time. This was because after transformation of ip into prenex 
normal form, if pQ contains many conjunctions, the sizes of the automata gener¬ 
ated using intersection grow too large (one of the reasons for this is that libvata 
in its current version does not support efficient reduction of automata). 

To better evaluate the scalability of our approach, we created several pa¬ 
rameterized families of WSIS formulae. We start with basic formulae encoding 
interesting relations among subsets of No, such as existence of certain transitive 
relations, singleton sets, or intervals (their full definition can be found in [23]). 
From these we algorithmically create families of formulae with larger quantifier 
depth, regardless of the meaning of the created formulae (though their semantics 
is still nontrivial). In Table we give the results for one of the families where 
the basic formula expresses existence of an ascending chain of n sets ordered 
w.r.t. C. The parameter k stands for the number of alternations in the prefix of 
the formulae: 

3Y ■.^3Xi^...^3Xk,...,Xr,: /\ {X, C Y A X, C X,+i) ^ X,+i C Y. 

l<i<n 


We ran the experiments in mode II of dWiNA (the experiment in mode I was not 
successful due to a too costly conversion of a large base automaton from MONA 
to libvata). 


7 Conclusion and Future Work 

We presented a new approach for dealing with alternating quantifications within 
the automata-based decision procedure for WSIS. Our approach is based on 
a generalization of the idea of the so-called antichain algorithm for testing uni¬ 
versality or language inclusion of finite automata. Our approach processes a pre¬ 
fix of the formula with an arbitrary number of quantifier alternations on-the- 
fly using an efficient symbolic representation of the state space, enhanced with 
subsumption pruning. Our experimental results are encouraging (our tool often 
outperforms MONA) and show that the direction started in this paper—using 
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modern techniques for nondeterministic automata in the context of deciding 
WSIS formulae—is promising. 

An interesting direction of further development seems to be lifting the sym¬ 
bolic pre/cpre operators to a more general notion of terms that allow work¬ 
ing with general sub-formulae (that may include logical connectives and nested 
quantifiers). The algorithm could then be run over arbitrary formulae, without 
the need of the transformation into the prenex form. This would open a way of 
adopting optimizations used in other tools as well as syntactical optimizations 
of the input formula such as anti-prenexing. Another way of improvement is 
using simulation-based techniques to reduce the generated automata as well as 
to weaken the term-subsumption relation (an efficient algorithm for computing 
simulation over BDD-represented automata is needed). We also plan to extend 
the algorithms to WSfcS and tree-automata, and perhaps even further to more 
general inductive structures. 
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A Proofs for Section [5] 

Lemma 3. Let X and y be sets of sets. Then it holds that 


tlJXntlJY = tlJ(XUY). (28) 

Proof. From the definition of the operator, it holds that 

tU^ = .. .,Xn} I {xi ,... jXn) e TTX} and 

(29) 

|lJY = t{{yi,...,j/m}| {yi,...,ym) e 


Notice that the intersection of a pair of upward closed sets given by their gener¬ 
ators can be constructed by taking all pairs of generators {X,Y), s.t. X is from 
]JX and Y is from ]JY, and constructing the set X U X. It is easy to see that 
X U F is a generator of tlJX n tlJY and that tlJX n tlJY is generated by all 
such pairs, i.e. that tlJX n flJY is equal to 

t ; Xn} U {yi, ■ ■ • , y?7i} I (^1; • ■ ■ j Xn) G X A (yi, ■ ■ •, ym) € riA 

(30) 

We observe that this set can be also expressed as 


T { {^1; • ■ • 7 Ply 7 Urn} \ (^1 ? • ■ ■ j ■ IJm) ^ UiXUY)} (31) 


or, to conclude the proof, as fU (X U Y). □ 

Lemma 4. (Equation^ Let K fee a set of sets. Then, it holds that 

tlJK= n tmi?,}. (32) 

Ftj eK 


Proof. Because intersection and union are both associative operations and M = 
{i?i,..., Rn}, this lemma is a simple consequence of Lemma□ 

Lemma 5. (Equation \1(^ Let Rj C Qi_i and uj be a symbol over nifK) for 
i > 0. Then 

cpre[AiMit= tU {pre[Al_.^M{Rj)}. (33) 

Proof. First, we show that the set cpre[Ai,t.j]{f\[{Rj}) is upward closed. Sec¬ 
ond, we show that all elements of the set W[pre[A\_^,Lj]{Rj)'^ are contained 
in cpre[Ai,ui]{'f]([{Rj}). Finally, we show that for every element T in the set 
cpre[Ai,u}](\'W{Rj}) there is a smaller element S in the set JJ {pre[A\_^,u)]{Rj)'^. 

1. Proving that cpre[Ai,uj]{fW{Rj}) is upward closed: Consider a state S G Qi 
s.t. S G cpre[Ai,uj]{fW{Rj}). From the definition of cpre, it holds that 

post[A,,u]{{S}) C tUl-Rj}, (34) 
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and from the definition of Ai, it holds that 

post[Ai,ui]{{S}) = (35) 

For T D S', it clearly holds that 

post[Al_j^,ui]{T) A post[Al_j^,Lj]{S) (36) 

and, therefore, it also holds that 

postlAiM{{T}) = {postlAl_^M{T)} C (37) 

Therefore, T G cpre[Ai,ijj]{'\W{Rj}) and the set cpre[zii,w](tU{i?j}) is up¬ 
ward closed. 

2. Proving that for all elements S G \[{pre[A\_-^,ui]{Rj)'\ it holds that S G 
cpre[Ai,uj]{'['W{Rj}): From the properties of ]J, it holds that S = {s} is 
a singleton. Because s G pre[A\_^,ui]{Rj), there is a transition s ^ r G A\_^ 
for some r G Rj. Since post[Al_^,ui]{S) A {r}, it follows from the definition 
of Ai that post[Ai,uj]{{S}) = {T} where T A {r}, and so T G tlJ{7?j} and 
post[zii,i.c;]({S}) C tlJ{7?j}. We use the definition of cpre to conclude that 
S G cpre[Ai,uj]h]l{Rj})- 

3. Proving that for every T G cpre[Ai,uj\((\W{Rj}) there exists some element 
S G ]J {pre[zi*_i,u;](i?j)} such that S C T: From T G cpre[Ai,ui]{'\Y[{Rj}) 
and the definition of Ai, we have that 

post[A,Mi{T}) = {P} C tU{Rj} (38) 

for P s.t. post[Aj_j^,uj](T) = P. Since P G tlJ{7?j}, there exists r G Rj A P 
and t gT s.t. t ^ r G A\_-^. Because t G pre[Al_,^,ui]{{r}), we choose S = {t} 
and we are done. □ 


Lemma 6. (Equation 11) Let Rj C Qi-i and uj be a symbol over 7ri(X) for 
i > 0. Then 

pre[Ai,uj]{l{Rj}) = \.{cpre[A\_-,^,uj\{Rj)} . (39) 


Proof. First, we show that pre[Ai,ui]{l{Rj}) is downward closed. Second, we show 
that S = cpre[Al_,^,ui]{Rj) is in pre[Ai,ui]{l{Rj}). Finally, we show that every 
element T in pre[Ai,ui](f{Rj}) is smaller than S. 


1. Proving that pre[Ai,ui]{l{Rj}) is downward closed: Consider a state S' G Qi 
s.t. S' G pre[Ai,ui]{l{Rj}). From the definitions of pre and Ai, it holds that 


post[zii,w]({S''}) = {post[z\f_^,t.cj](S'')} C (.{Rj}, (40) 


and, therefore, post[Al_,^,ui]{S') G For T C S' , it clearly holds that 

pOSt[Al_,^,ui]{T) C post[Al_,^,ui]{S') (41) 


and so it also holds that 


post[Ai,ui]{{T}) = {post[Al_^,bj]{T)} C (42) 

Therefore, T G pre[Ai,ui]{l{Rj}) and pre[Ai,ui]{l{Rj}) is downward closed. 
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2. Proving that S = cpre[Al_^,ui]{Rj) € pre[Ai,ui]{l{Rj}): From the definition of 
cpre, it holds that 

postlAl_^,uj]{S) = S' C Rj. (43) 

Further, from the definition of Ai, it holds that S S' G Ai and, therefore, 
S € pre[Ai,ij]{l{Rj}). 

3. Proving that for every T G pre[Ai,bj]{l{Rj}) it holds that T C S: From 
T G pre[Ai,u>]{l{Rj}), we have that T P G Ai for P C and, from the 
definition of Ai, we have that P = post[zi(_j,cj](T). From P = post[Aj_,^,Lj](T) 
and the definition of cpre, it is easy to see that T C cpre[Al_^,i^)]{P), and, 
moreover 

P C Rj cpre[Al_^,ui]{P) C cpre[Al_^,ui]{Rj). (44) 

Therefore, we can conclude that T C cpre[Al_„,ui]{Rj) = S. □ 
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